SSH: Make sss_ssh_knownhostsproxy build conditional

Because this tool will be removed, we start by building an alternative
version that just displays a warning.

To build the full working tool:
```
./configure --with-ssh-known-hosts-proxy
```

Makefile.am

@@ -1627,12 +1627,15 @@ if BUILD_SSH
 sssd_ssh_SOURCES = \
     src/responder/ssh/sshsrv.c \
     src/responder/ssh/ssh_cmd.c \
-    src/responder/ssh/ssh_known_hosts.c \
     src/responder/ssh/ssh_protocol.c \
     src/responder/ssh/ssh_reply.c \
     src/responder/ssh/ssh_cert_to_ssh_key.c \
     $(SSSD_RESPONDER_OBJ) \
     $(NULL)
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+sssd_ssh_SOURCES += \
+    src/responder/ssh/ssh_known_hosts.c
+endif
 sssd_ssh_LDADD = \
     $(LIBADD_DL) \
     $(SSSD_LIBS) \
@@ -2691,11 +2694,14 @@ ssh_srv_tests_SOURCES = \
     $(TEST_MOCK_RESP_OBJ) \
     src/tests/cmocka/test_ssh_srv.c \
     src/responder/ssh/ssh_cmd.c \
-    src/responder/ssh/ssh_known_hosts.c \
     src/responder/ssh/ssh_protocol.c \
     src/responder/ssh/ssh_reply.c \
     src/responder/ssh/ssh_cert_to_ssh_key.c \
     $(NULL)
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+ssh_srv_tests_SOURCES += \
+    src/responder/ssh/ssh_known_hosts.c
+endif
 ssh_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
     -I$(abs_builddir)/src \

configure.ac

@@ -186,6 +186,7 @@ WITH_SUBID
 WITH_SUBID_LIB_PATH
 WITH_PASSKEY
 WITH_SSH
+WITH_SSH_KNOWN_HOSTS_PROXY
 WITH_IFP
 WITH_LIBSIFP
 WITH_SYSLOG

contrib/sssd.spec.in

@@ -43,6 +43,12 @@
 %global build_passkey 0
 %endif
 
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
+%global build_ssh_known_hosts_proxy 0
+%else
+%global build_ssh_known_hosts_proxy 1
+%endif
+
 # we don't want to provide private python extension libs
 %define __provides_exclude_from %{python3_sitearch}/.*\.so$
 
@@ -576,6 +582,10 @@ autoreconf -ivf
 %if %{build_passkey}
     --with-passkey \
 %endif
+%if %{build_ssh_known_hosts_proxy}
+    --with-ssh-known-hosts-proxy \
+%endif
+
     %{nil}
 
 %make_build all docs runstatedir=%{_rundir}
@@ -811,7 +821,9 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
 %{_datadir}/sssd/cfg_rules.ini
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
 %{_mandir}/man1/sss_ssh_knownhosts.1*
+%if %{build_ssh_known_hosts_proxy}
 %{_mandir}/man1/sss_ssh_knownhostsproxy.1*
+%endif
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man5/sssd-sudo.5*

src/conf_macros.m4

@@ -707,6 +707,22 @@ AC_DEFUN([WITH_SSH],
     AM_CONDITIONAL([BUILD_SSH], [test x"$with_ssh" = xyes])
   ])
 
+AC_DEFUN([WITH_SSH_KNOWN_HOSTS_PROXY],
+  [ AC_ARG_WITH([ssh-known-hosts-proxy],
+                [AC_HELP_STRING([--with-ssh-known-hosts-proxy],
+                                [Whether to build the sss_ssh_knownhostsproxy tool [no]]
+                               )
+                ],
+                [with_ssh_know_hosts_proxy=$withval],
+                with_ssh_know_hosts_proxy=no
+               )
+
+    if test x"$with_ssh" = xyes -a x"$with_ssh_know_hosts_proxy" = xyes; then
+        AC_DEFINE(BUILD_SSH_KNOWN_HOSTS_PROXY, 1, [whether to build the sss_ssh_knownhostsproxy tool])
+    fi
+    AM_CONDITIONAL([BUILD_SSH_KNOWN_HOSTS_PROXY], [test x"$with_ssh" = xyes -a x"$with_ssh_know_hosts_proxy" = xyes])
+  ])
+
 AC_DEFUN([WITH_IFP],
   [ AC_ARG_WITH([infopipe],
                 [AC_HELP_STRING([--with-infopipe],

src/man/Makefile.am

@@ -17,6 +17,9 @@ AUTOFS_CONDS = ;with_autofs
 endif
 if BUILD_SSH
 SSH_CONDS = ;with_ssh
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+SSH_KNOWN_HOSTS_PROXY_CONDS = ;with_ssh_known_hosts_proxy
+endif
 endif
 if BUILD_PAC_RESPONDER
 PAC_RESPONDER_CONDS = ;with_pac_responder
@@ -67,7 +70,7 @@ SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
 endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
 
 
 #Special Rules:
@@ -95,8 +98,11 @@ man_MANS += sssd-ipa.5 sssd-ad.5
 endif
 
 if BUILD_SSH
-man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1 \
+man_MANS += sss_ssh_authorizedkeys.1 \
             sss_ssh_knownhosts.1
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+man_MANS += sss_ssh_knownhostsproxy.1
+endif
 endif
 
 if BUILD_SUDO

src/responder/ssh/ssh_cmd.c

@@ -54,6 +54,7 @@ ssh_check_non_sssd_user(const char *username)
 }
 
 
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
 static struct sss_domain_info *
 ssh_get_result_domain(struct resp_ctx *rctx,
                       struct cache_req_result *result,
@@ -65,6 +66,7 @@ ssh_get_result_domain(struct resp_ctx *rctx,
 
     return find_domain_by_name(rctx->domains, name, true);
 }
+#endif
 
 static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq);
 
@@ -358,24 +360,28 @@ static errno_t ssh_cmd_get_host_pubkeys(struct cli_ctx *cli_ctx)
 static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq)
 {
     struct cache_req_result *result = NULL;
-    struct sss_domain_info *domain;
     struct ssh_cmd_ctx *cmd_ctx;
-    struct ssh_ctx *ssh_ctx;
     errno_t ret;
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
+    struct sss_domain_info *domain;
+    struct ssh_ctx *ssh_ctx;
+#endif
 
     cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
-    ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
 
     ret = cache_req_ssh_host_id_by_name_recv(cmd_ctx, subreq, &result);
     talloc_zfree(subreq);
 
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
     if (ret == EOK || ret == ENOENT) {
+        ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
         domain = ssh_get_result_domain(ssh_ctx->rctx, result, cmd_ctx->domain);
 
         ssh_update_known_hosts_file(ssh_ctx->rctx->domains, domain,
                                     cmd_ctx->name, ssh_ctx->hash_known_hosts,
                                     ssh_ctx->known_hosts_timeout);
     }
+#endif
 
     if (ret != EOK) {
         ssh_protocol_done(cmd_ctx->cli_ctx, ret);

src/responder/ssh/ssh_private.h

@@ -24,8 +24,10 @@
 #include "responder/common/responder.h"
 #include "responder/common/cache_req/cache_req.h"
 
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
 #define SSS_SSH_KNOWN_HOSTS_PATH PUBCONF_PATH"/known_hosts"
 #define SSS_SSH_KNOWN_HOSTS_TEMP_TMPL PUBCONF_PATH"/.known_hosts.XXXXXX"
+#endif
 
 struct ssh_ctx {
     struct resp_ctx *rctx;
@@ -79,12 +81,14 @@ ssh_protocol_build_reply(struct sss_packet *packet,
                          struct ldb_message_element **elements,
                          uint32_t num_keys);
 
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
 errno_t
 ssh_update_known_hosts_file(struct sss_domain_info *domains,
                             struct sss_domain_info *domain,
                             const char *name,
                             bool hash_known_hosts,
                             int known_hosts_timeout);
+#endif
 
 struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
                                         struct tevent_context *ev,

src/sss_client/ssh/sss_ssh_knownhostsproxy.c

@@ -18,7 +18,27 @@
     along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#include <stdio.h>
+#include <stdlib.h>
+
+#include "config.h"
+#include "util/util.h"
+
+#ifndef BUILD_SSH_KNOWN_HOSTS_PROXY
+
+int main(void)
+{
+    ERROR("\n"
+          "******************************************************************************\n"
+          "Your system is configured to use the obsolete tool sss_ssh_knownhostsproxy.\n"
+          "Please read the sss_ssh_knownhosts(1) man page to learn about its replacement.\n"
+          "******************************************************************************\n"
+          "\n");
+
+    return EXIT_FAILURE;
+}
+
+#else /* BUILD_SSH_KNOWN_HOSTS_PROXY */
+
 #include <talloc.h>
 #include <unistd.h>
 #include <fcntl.h>
@@ -30,7 +50,6 @@
 #include <netdb.h>
 #include <popt.h>
 
-#include "util/util.h"
 #include "util/crypto/sss_crypto.h"
 #include "util/sss_ssh.h"
 #include "sss_client/sss_cli.h"
@@ -345,3 +364,4 @@ int main(int argc, const char **argv)
 
     return ret;
 }
+#endif /* BUILD_SSH_KNOWN_HOSTS_PROXY */

src/tests/multihost/ad/test_adparameters_ported.py

@@ -3317,14 +3317,20 @@ def test_0041_ad_parameters_sss_ssh_knownhostsproxy(
             'cp /etc/ssh/ssh_config /etc/ssh/ssh_config.working',
             raiseonerr=False
         )
-        # Configure known hosts proxy
-        multihost.client[0].run_command(
-            r'echo -e "\tGlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts'
-            r'" >> /etc/ssh/ssh_config; echo -e "\tPubkeyAuthentication yes"'
-            r' >> /etc/ssh/ssh_config; echo -e "\tProxyCommand /usr/bin/'
-            r'sss_ssh_knownhostsproxy -p %p %h" >> /etc/ssh/ssh_config',
-            raiseonerr=False
-        )
+        # Configure the known hosts tool
+        tool = multihost.client[0].run_command('test -x /usr/bin/sss_ssh_knownhosts',
+                                               raiseonerr=False)
+        if tool.returncode == 0:
+            cmd = r'echo -e "\tPubkeyAuthentication yes" >> /etc/ssh/ssh_config;' \
+                  r'echo -e "\tKnownHostsCommand /usr/bin/sss_ssh_knownhosts %H"' \
+                  r' >> /etc/ssh/ssh_config'
+        else:
+            cmd = r'echo -e "\tGlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts"' \
+                  r' >> /etc/ssh/ssh_config; echo -e "\tPubkeyAuthentication yes"' \
+                  r' >> /etc/ssh/ssh_config; echo -e "\tProxyCommand /usr/bin/' \
+                  r'sss_ssh_knownhostsproxy -p %p %h" >> /etc/ssh/ssh_config'
+        multihost.client[0].run_command(cmd, raiseonerr=False)
+
         # Clear cache and restart SSSD
         client.clear_sssd_cache()